opencode-api-security-testing 5.4.2 → 5.4.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "5.4.2",
+  "version": "5.4.4",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",
@@ -13,11 +13,11 @@
     "postinstall.mjs",
     "preuninstall.mjs"
   ],
-"scripts": {
-  "postinstall": "node postinstall.mjs",
-  "preuninstall": "node preuninstall.mjs",
-  "init": "node init.mjs"
-},
+  "scripts": {
+    "postinstall": "node postinstall.mjs",
+    "preuninstall": "node preuninstall.mjs",
+    "init": "node init.mjs"
+  },
   "keywords": [
     "opencode",
     "opencode-plugin",

package/src/index.ts

@@ -334,9 +334,151 @@ const CYBER_SUPERVISOR = DEFAULT_CONFIG.cyber_supervisor;
 const modelFailureCounts = new Map<string, Map<string, number>>();
 const sessionFailures = new Map<string, number>();
 
-// 追踪已注入 agents prompt 的 session (只注入一次)
+// ============================================================================
+// 上下文注入系统 (参考 oh-my-openagent 的 ContextCollector 模式)
+// ============================================================================
+
+type ContextPriority = "critical" | "high" | "normal" | "low";
+
+interface ContextEntry {
+  id: string;
+  source: string;
+  content: string;
+  priority: ContextPriority;
+  registrationOrder: number;
+  metadata?: Record<string, unknown>;
+}
+
+interface PendingContext {
+  merged: string;
+  entries: ContextEntry[];
+  hasContent: boolean;
+}
+
+class ContextCollector {
+  private sessions = new Map<string, Map<string, ContextEntry>>();
+  private registrationCounter = 0;
+
+  register(sessionID: string, options: {
+    id: string;
+    source: string;
+    content: string;
+    priority?: ContextPriority;
+  metadata?: Record<string, unknown>;
+  }): void {
+    if (!this.sessions.has(sessionID)) {
+      this.sessions.set(sessionID, new Map());
+    }
+
+    const sessionMap = this.sessions.get(sessionID)!;
+    const key = `${options.source}:${options.id}`;
+
+    const entry: ContextEntry = {
+      id: options.id,
+      source: options.source,
+      content: options.content,
+      priority: options.priority ?? "normal",
+      registrationOrder: ++this.registrationCounter,
+      metadata: options.metadata,
+    };
+
+    sessionMap.set(key, entry);
+  }
+
+  getPending(sessionID: string): PendingContext {
+    const sessionMap = this.sessions.get(sessionID);
+
+    if (!sessionMap || sessionMap.size === 0) {
+      return {
+        merged: "",
+        entries: [],
+        hasContent: false,
+      };
+    }
+
+    const entries = this.sortEntries([...sessionMap.values()]);
+    const CONTEXT_SEPARATOR = "\n\n---\n\n";
+    const merged = entries.map(e => e.content).join(CONTEXT_SEPARATOR);
+
+    return {
+      merged,
+      entries,
+      hasContent: entries.length > 0
+    };
+  }
+
+  consume(sessionID: string): PendingContext {
+    const pending = this.getPending(sessionID);
+    this.clear(sessionID);
+    return pending;
+  }
+
+  clear(sessionID: string): void {
+    this.sessions.delete(sessionID);
+  }
+
+  hasPending(sessionID: string): boolean {
+    const sessionMap = this.sessions.get(sessionID);
+    return sessionMap !== undefined && sessionMap.size > 0;
+  }
+
+  private sortEntries(entries: ContextEntry[]): ContextEntry[] {
+    const PRIORITY_ORDER: Record<ContextPriority, number> = {
+      critical: 0,
+      high: 1,
+      normal: 2,
+      low: 3
+    };
+
+    return entries.sort((a, b) => {
+      const priorityDiff = PRIORITY_ORDER[a.priority] - PRIORITY_ORDER[b.priority];
+      if (priorityDiff !== 00 return priorityDiff;
+      return a.registrationOrder - b.registrationOrder;
+    });
+  }
+}
+
+// 全局上下文收集器实例
+const contextCollector = new ContextCollector();
+
+// 騡型回退状态追踪
+const modelFailureCounts = new Map<string, Map<string, number>>();
+const sessionFailures = new Map<string, number>();
+
+// 騡型回退状态追踪（保留向后兼容）
+const pendingFirstMessages = new Set<string>();
 const injectedSessions = new Set<string>();
 
+// 标记新会话创建（由 event hook 调用）
+function markSessionCreated(sessionID: string | undefined): void {
+  if (sessionID) {
+    pendingFirstMessages.add(sessionID);
+    console.log(`[api-security-testing] Session marked for first message injection: ${sessionID}`);
+  }
+}
+
+// 检查是否是首条消息（由 chat.message hook 调用）
+function isFirstMessage(sessionID: string | undefined): boolean {
+  if (!sessionID) return false;
+  return pendingFirstMessages.has(sessionID);
+}
+
+// 标记首条消息已处理（由 chat.message hook 调用，注入后立即调用）
+function markFirstMessageApplied(sessionID: string | undefined): void {
+  if (sessionID) {
+    pendingFirstMessages.delete(sessionID);
+    injectedSessions.add(sessionID); // 记录已注入
+  }
+}
+
+// 清理会话状态（由 event hook 在 session.deleted 时调用）
+function clearSessionState(sessionID: string | undefined): void {
+  if (sessionID) {
+    pendingFirstMessages.delete(sessionID);
+    injectedSessions.delete(sessionID);
+  }
+}
+
 function getConfigPath(ctx: { directory: string }): string {
   return join(ctx.directory, SKILL_DIR, "assets", CONFIG_FILE);
 }
@@ -1268,12 +1410,29 @@ print(json.dumps(result, ensure_ascii=False))
       }),
     },
 
-    // 赛博监工 Hook - chat.message
-    // 注意：已禁用自动注入 agents prompt，避免重复注入问题
-    // 如需使用 agents，请在需要时手动调用相关工具
+    // 赛博监工 Hook - chat.message (保留用于向后兼容，但不再直接注入 agents)
     "chat.message": async (input, output) => {
       const sessionID = input.sessionID;
       
+      // 只在首条消息时注册上下文 (参考 oh-my-openagent 的 ContextCollector 模式)
+      if (isFirstMessage(sessionID)) {
+        const agentsPrompt = getInjectedAgentsPrompt();
+        if (agentsPrompt) {
+          // 注册到上下文收集器，而不是直接修改 output.parts
+          contextCollector.register(sessionID, {
+            id: "api-security-agents",
+            source: "plugin",
+            content: agentsPrompt,
+            priority: "high",
+          metadata: {
+            description: "API Security Testing Agents",
+            timestamp: Date.now().toISOString()
+          });
+        }
+        // 标记该 session 已注入 (参考 oh-my-opencode 的 markApplied)
+        markFirstMessageApplied(sessionID);
+      }
+      
       // 赛博监工压力注入（仅在失败时）
       if (config.cyber_supervisor.enabled && config.cyber_supervisor.auto_trigger) {
         const failures = getFailureCount(sessionID);
@@ -1348,10 +1507,112 @@ ${LEVEL_PROMPTS[level]}
       return output;
     },
 
-    // 会话清理
+    // 会话事件处理
     event: async (input) => {
-      const { event } = input;
+      const { event } = input
+
+      // 新会话创建 - 标记为首条消息待注入 (参考 oh-my-opencode)
+      if (event.type === "session.created") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        const sessionInfo = props?.info as { id?: string; parentID?: string } | undefined;
+
+        // 只有主会话（非 fork）才注入
+        if (sessionInfo?.id && !sessionInfo.parentID) {
+          markSessionCreated(sessionInfo.id);
+          console.log(`[api-security-testing] new session created: ${sessionInfo.id}`);
+        }
+      }
+
+      // 会话删除或压缩 - 清理状态
+      if (event.type === "session.deleted" || event.type === "session.compacted") {
+        const props = event.properties as Record<string, unknown> | undefined;
+        let sessionID: string | undefined;
+
+        if (event.type === "session.deleted") {
+          sessionID = (props?.info as { id?: string })?.id;
+        } else {
+          sessionID = (props?.sessionID ?? (props?.info as { id?: string })?.id) as string | undefined;
+        }
+
+        if (sessionID) {
+          clearSessionState(sessionID);
+          resetFailureCount(sessionID);
+          resetModelFailures(sessionID);
+        }
+      }
+    },
+
+    // 上下文注入 Hook - 使用 synthetic part 模式隐藏注入内容 (参考 oh-my-openagent)
+    // 这是关键！使用 synthetic: true 标记来隐藏 UI 显示
+    "experimental.chat.messages.transform": async (_input, output) => {
+      const { messages } = output;
+      
+      if (messages.length === 0) {
+        return;
+      }
+
+      // 找到最后一条用户消息
+      let lastUserMessageIndex = -1;
+      for (let i = messages.length - 1; i >= 0; i--) {
+        if (messages[i].info.role === "user") {
+          lastUserMessageIndex = i;
+          break;
+        }
+      }
+
+      if (lastUserMessageIndex === -1) {
+        return;
+      }
+
+      const lastUserMessage = messages[lastUserMessageIndex];
+      
+      // 获取 sessionID (参考 oh-my-openagent 的实现)
+      const messageSessionID = (lastUserMessage.info as unknown as { sessionID?: string }).sessionID;
+      const sessionID = messageSessionID ?? Array.from(pendingFirstMessages)[0];
+      
+      if (!sessionID) {
+        return;
+      }
+
+      // 检查是否有待注入的上下文
+      if (!contextCollector.hasPending(sessionID)) {
+        return;
+      }
+
+      const pending = contextCollector.consume(sessionID);
+      if (!pending.hasContent) {
+        return;
+      }
+
+      // 找到文本部分
+      const textPartIndex = lastUserMessage.parts.findIndex(
+        (p) => p.type === "text" && (p as { text?: string }).text
+      );
+
+      if (textPartIndex === -1) {
+        return;
+      }
+
+      // 创建 synthetic part - 关键！synthetic: true 隐藏 UI 显示
+      const syntheticPart = {
+        id: `synthetic_context_${sessionID}`,
+        messageID: lastUserMessage.info.id,
+        sessionID: sessionID,
+        type: "text" as const,
+        text: pending.merged,
+        synthetic: true,  // ← 这是关键！UI 中隐藏此内容
+      };
+
+      // 在文本部分之前插入 synthetic part
+      lastUserMessage.parts.splice(textPartIndex, 0, syntheticPart);
+
+      console.log(`[api-security-testing] Injected context via synthetic part, session=${sessionID}, length=${pending.merged.length}`);
+    },
+  };
+}
+      }
 
+      // 会话删除或压缩 - 清理状态
       if (event.type === "session.deleted" || event.type === "session.compacted") {
         const props = event.properties as Record<string, unknown> | undefined;
         let sessionID: string | undefined;
@@ -1363,6 +1624,7 @@ ${LEVEL_PROMPTS[level]}
         }
 
         if (sessionID) {
+          clearSessionState(sessionID);
           resetFailureCount(sessionID);
           resetModelFailures(sessionID);
         }